Action Summary

The risk assessment is the second step in the business
continuity planning process. It should include:

Evaluating the BIA assumptions using various threat
scenarios;

Analyzing threats based upon the impact to the institution, its
customers, and the financial market it serves;

Prioritizing potential business disruptions based upon their
severity, which is determined by their impact on operations and the
probability of occurrence; and

Performing a "gap analysis" that compares the existing BCP to
the policies and procedures that should be implemented based on
prioritized disruptions identified and their resulting impact on
the institution.

The risk assessment step is critical and has significant bearing
on whether business continuity planning efforts will be successful.
During the risk assessment step, business processes and the BIA
assumptions are evaluated using various threat scenarios.Refer to Appendix F: "Business Impact Analysis
Process" for additional information. This will result in a
range of outcomes that may require changes to the BCP.

Financial institutions should develop realistic threat scenarios
that may potentially disrupt business processes and their ability
to meet clients' expectations (internal, business partners, or
customers). Threats can take many forms, including malicious
activity, natural and technical disasters, and pandemic
incidents.Refer to Appendix C: "Internal and
External Threats" and Appendix D: "Pandemic Planning" for
additional informationWhere possible, institutions should
analyze a threat by using non-specific, all-risk planning that
focuses on the impact of the threat instead of the nature of the
threat. For example, the effects of certain threat scenarios can
include business disruptions that affect only specific personnel,
work areas, systems, facilities (i.e., buildings), or geographic
areas. Additionally, the magnitude of the business disruption
should consider a wide variety of threat scenarios based upon
practical experiences and potential circumstances and events. If
the threat scenarios are not comprehensive, the resulting BCP may
be too basic and omit reasonable steps that are needed for a timely
recovery after a disruption.

Threat scenarios should consider the severity of the disaster,
which is based upon the impact and the probability of business
disruptions resulting from identified threats. Threats may range
from those with a high probability of occurrence and low impact to
the institution, such as brief power interruptions, to those with a
low probability of occurrence and high impact to the institution,
such as hurricanes or terrorist attacks. The most difficult threats
to address are those that have a high impact on the institution but
a low probability of occurrence. However, through the use of
non-specific, all-risk planning, the BCP may be more flexible and
adaptable to all types of disruptions.

When assessing the probability of a disruption, financial
institutions and technology service providers should consider the
geographic location of all facilities, their susceptibility to
threats (e.g., location in a flood plain), and the proximity to
critical infrastructures (e.g., power sources, nuclear power
plants, airports, major highways, railroads). Worst-case scenarios,
such as destruction of the facilities and loss of life, should be
considered. As part of this process, external factors should also
be closely monitored to determine the probability of occurrence.
External factors can be monitored through constant communication
with community and government officials and regulatory authorities.
For example, institutions should monitor alerts issued by such
organizations as the Department of Homeland Security and the World
Health Organization, which provide information regarding terrorist
activity and environmental risks, respectively.

After analyzing the impact, probability, and the resulting
severity of identified threats, the institution can prioritize
business processes and estimate how they could be disrupted under
various threat scenarios. The resulting probability of occurrence
may be based on a rating system of high, medium, and low.

At this point in the business continuity planning process, the
financial institution should perform a "gap analysis." In this
context, a "gap analysis" is a methodical comparison of what types
of policies and procedures the institution (or business line)
should implement to recover, resume, and maintain normal business
operations, versus what the existing BCP provides. The difference
between the two highlights additional risk exposure that management
should address when developing the BCP.